@venturewild/workspace 0.6.1 → 0.6.2

package/server/src/listings-rails.mjs

@@ -1,156 +1,156 @@
-// ListingsRails — the cross-user bazaar marketplace client (next push §N).
-//
-// A thin client over bmo-sync's POST /api/listings/{publish,list,delete,report}
-// (account-token self-authed, exactly like canvas-rails.mjs). The owner is
-// DERIVED server-side from the account token, so a caller can only ever
-// publish/delete its OWN listing. v1 carries themes only (Class A — pure-data
-// hex bundles); spike 1 (12/12) validated this exact shape.
-//
-// degrade-never-throw, like CanvasRails: a down rail or a logged-out install
-// never breaks the local bazaar. `publish`/`delete`/`report` resolve to false on
-// any failure; `list` resolves to { ok:false, listings:[] } so the caller serves
-// seeds + the user's own listings (the offline tier). The rails are the network
-// LAYER on top of the local file-backed bazaar — never a hard dependency.
-
-const DEFAULT_TIMEOUT_MS = 4000;
-
-export class ListingsRails {
-  constructor({
-    bmoSyncUrl,
-    accountToken,
-    timeoutMs = DEFAULT_TIMEOUT_MS,
-    fetchImpl = (...a) => globalThis.fetch(...a),
-  } = {}) {
-    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
-    this.accountToken = accountToken || null;
-    this.timeoutMs = timeoutMs;
-    this.fetchImpl = fetchImpl;
-    // Inert without a token (can't key it) or without a server URL.
-    this.capable = Boolean(this.accountToken) && Boolean(this.bmoSyncUrl);
-  }
-
-  async _post(path, body) {
-    if (!this.capable) return null;
-    const ctrl = new AbortController();
-    const timer = setTimeout(() => ctrl.abort(), this.timeoutMs);
-    if (timer.unref) timer.unref();
-    try {
-      const r = await this.fetchImpl(`${this.bmoSyncUrl}${path}`, {
-        method: 'POST',
-        headers: { 'content-type': 'application/json' },
-        body: JSON.stringify({ account_token: this.accountToken, ...body }),
-        signal: ctrl.signal,
-      });
-      if (!r || !r.ok) return null;
-      return await r.json().catch(() => null);
-    } catch {
-      return null; // network / abort / parse — caller degrades to local-only
-    } finally {
-      clearTimeout(timer);
-    }
-  }
-
-  /**
-   * Publish (upsert) one listing card to the global pool. Best-effort.
-   * @returns {Promise<boolean>} true iff the rails accepted it.
-   */
-  async publish(listing) {
-    const resp = await this._post('/api/listings/publish', { listing });
-    return Boolean(resp && resp.ok === true);
-  }
-
-  /**
-   * The global pool, optionally filtered by kind (v1: 'theme').
-   * @returns {Promise<{ok:boolean, listings:Array}>}
-   *   ok:true  → the rails answered; `listings` is the raw ListItem array
-   *              ({id,kind,json,producer_handle,producer_name,created_at,updated_at}).
-   *   ok:false → unreachable / not configured → caller serves seeds + own only.
-   */
-  async list({ kind = 'theme' } = {}) {
-    const resp = await this._post('/api/listings/list', { kind });
-    if (!resp || resp.ok !== true || !Array.isArray(resp.listings)) {
-      return { ok: false, listings: [] };
-    }
-    return { ok: true, listings: resp.listings };
-  }
-
-  /** Soft-delete the caller's own listing. Best-effort. */
-  async delete(id) {
-    const resp = await this._post('/api/listings/delete', { id });
-    return Boolean(resp && resp.ok === true);
-  }
-
-  /** Report a listing to the ops inbox (the GLM day-one must-have). Best-effort. */
-  async report(id, reason = '') {
-    const resp = await this._post('/api/listings/report', { id, reason: String(reason || '').slice(0, 500) });
-    return Boolean(resp && resp.ok === true);
-  }
-}
-
-/**
- * Turn a rails ListItem into a bazaar theme card: parse the stored card JSON and
- * OVERRIDE the producer with the server-DERIVED public identity (the real owner's
- * display name + stable handle — never "You", never the email). Returns null for a
- * non-theme / unparsable row. The theme bundle is re-validated by the bazaar core
- * on read (normalizeTheme), so this stays a pure shape transform.
- */
-export function railItemToCard(item) {
-  if (!item || typeof item !== 'object') return null;
-  let card;
-  try {
-    card = JSON.parse(item.json);
-  } catch {
-    return null;
-  }
-  if (!card || typeof card !== 'object' || card.kind !== 'theme') return null;
-  return {
-    ...card,
-    id: item.id, // trust the server's stable id, not the embedded copy
-    kind: 'theme',
-    source: 'rails',
-    producer: {
-      name: item.producer_name || 'A maker',
-      handle: item.producer_handle || 'maker',
-      kind: 'maker',
-    },
-  };
-}
-
-/**
- * Turn a rails ListItem into a bazaar RECIPE card: parse the stored card JSON and
- * OVERRIDE the producer with the server-DERIVED public identity (never the email).
- * Carries `knowHow` through (the payload a consumer's agent absorbs). Returns null
- * for a non-recipe / unparsable row. The bazaar core re-runs the Class-B scan on
- * this know-how on read (readRailsRecipes) and drops it if unsafe, so this stays a
- * pure shape transform.
- */
-export function railItemToRecipeCard(item) {
-  if (!item || typeof item !== 'object') return null;
-  let card;
-  try {
-    card = JSON.parse(item.json);
-  } catch {
-    return null;
-  }
-  if (!card || typeof card !== 'object' || card.kind !== 'recipe') return null;
-  return {
-    ...card,
-    id: item.id, // trust the server's stable id, not the embedded copy
-    kind: 'recipe',
-    source: 'rails',
-    producer: {
-      name: item.producer_name || 'A maker',
-      handle: item.producer_handle || 'maker',
-      kind: 'maker',
-    },
-  };
-}
-
-/** Build the client from server config + account (or an inert one when logged out). */
-export function createListingsRails(config, account, fetchImpl) {
-  return new ListingsRails({
-    bmoSyncUrl: config?.bmoSyncServerUrl,
-    accountToken: account?.accountToken,
-    fetchImpl,
-  });
-}
+// ListingsRails — the cross-user bazaar marketplace client (next push §N).
+//
+// A thin client over bmo-sync's POST /api/listings/{publish,list,delete,report}
+// (account-token self-authed, exactly like canvas-rails.mjs). The owner is
+// DERIVED server-side from the account token, so a caller can only ever
+// publish/delete its OWN listing. v1 carries themes only (Class A — pure-data
+// hex bundles); spike 1 (12/12) validated this exact shape.
+//
+// degrade-never-throw, like CanvasRails: a down rail or a logged-out install
+// never breaks the local bazaar. `publish`/`delete`/`report` resolve to false on
+// any failure; `list` resolves to { ok:false, listings:[] } so the caller serves
+// seeds + the user's own listings (the offline tier). The rails are the network
+// LAYER on top of the local file-backed bazaar — never a hard dependency.
+
+const DEFAULT_TIMEOUT_MS = 4000;
+
+export class ListingsRails {
+  constructor({
+    bmoSyncUrl,
+    accountToken,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+  } = {}) {
+    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
+    this.accountToken = accountToken || null;
+    this.timeoutMs = timeoutMs;
+    this.fetchImpl = fetchImpl;
+    // Inert without a token (can't key it) or without a server URL.
+    this.capable = Boolean(this.accountToken) && Boolean(this.bmoSyncUrl);
+  }
+
+  async _post(path, body) {
+    if (!this.capable) return null;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), this.timeoutMs);
+    if (timer.unref) timer.unref();
+    try {
+      const r = await this.fetchImpl(`${this.bmoSyncUrl}${path}`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ account_token: this.accountToken, ...body }),
+        signal: ctrl.signal,
+      });
+      if (!r || !r.ok) return null;
+      return await r.json().catch(() => null);
+    } catch {
+      return null; // network / abort / parse — caller degrades to local-only
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+
+  /**
+   * Publish (upsert) one listing card to the global pool. Best-effort.
+   * @returns {Promise<boolean>} true iff the rails accepted it.
+   */
+  async publish(listing) {
+    const resp = await this._post('/api/listings/publish', { listing });
+    return Boolean(resp && resp.ok === true);
+  }
+
+  /**
+   * The global pool, optionally filtered by kind (v1: 'theme').
+   * @returns {Promise<{ok:boolean, listings:Array}>}
+   *   ok:true  → the rails answered; `listings` is the raw ListItem array
+   *              ({id,kind,json,producer_handle,producer_name,created_at,updated_at}).
+   *   ok:false → unreachable / not configured → caller serves seeds + own only.
+   */
+  async list({ kind = 'theme' } = {}) {
+    const resp = await this._post('/api/listings/list', { kind });
+    if (!resp || resp.ok !== true || !Array.isArray(resp.listings)) {
+      return { ok: false, listings: [] };
+    }
+    return { ok: true, listings: resp.listings };
+  }
+
+  /** Soft-delete the caller's own listing. Best-effort. */
+  async delete(id) {
+    const resp = await this._post('/api/listings/delete', { id });
+    return Boolean(resp && resp.ok === true);
+  }
+
+  /** Report a listing to the ops inbox (the GLM day-one must-have). Best-effort. */
+  async report(id, reason = '') {
+    const resp = await this._post('/api/listings/report', { id, reason: String(reason || '').slice(0, 500) });
+    return Boolean(resp && resp.ok === true);
+  }
+}
+
+/**
+ * Turn a rails ListItem into a bazaar theme card: parse the stored card JSON and
+ * OVERRIDE the producer with the server-DERIVED public identity (the real owner's
+ * display name + stable handle — never "You", never the email). Returns null for a
+ * non-theme / unparsable row. The theme bundle is re-validated by the bazaar core
+ * on read (normalizeTheme), so this stays a pure shape transform.
+ */
+export function railItemToCard(item) {
+  if (!item || typeof item !== 'object') return null;
+  let card;
+  try {
+    card = JSON.parse(item.json);
+  } catch {
+    return null;
+  }
+  if (!card || typeof card !== 'object' || card.kind !== 'theme') return null;
+  return {
+    ...card,
+    id: item.id, // trust the server's stable id, not the embedded copy
+    kind: 'theme',
+    source: 'rails',
+    producer: {
+      name: item.producer_name || 'A maker',
+      handle: item.producer_handle || 'maker',
+      kind: 'maker',
+    },
+  };
+}
+
+/**
+ * Turn a rails ListItem into a bazaar RECIPE card: parse the stored card JSON and
+ * OVERRIDE the producer with the server-DERIVED public identity (never the email).
+ * Carries `knowHow` through (the payload a consumer's agent absorbs). Returns null
+ * for a non-recipe / unparsable row. The bazaar core re-runs the Class-B scan on
+ * this know-how on read (readRailsRecipes) and drops it if unsafe, so this stays a
+ * pure shape transform.
+ */
+export function railItemToRecipeCard(item) {
+  if (!item || typeof item !== 'object') return null;
+  let card;
+  try {
+    card = JSON.parse(item.json);
+  } catch {
+    return null;
+  }
+  if (!card || typeof card !== 'object' || card.kind !== 'recipe') return null;
+  return {
+    ...card,
+    id: item.id, // trust the server's stable id, not the embedded copy
+    kind: 'recipe',
+    source: 'rails',
+    producer: {
+      name: item.producer_name || 'A maker',
+      handle: item.producer_handle || 'maker',
+      kind: 'maker',
+    },
+  };
+}
+
+/** Build the client from server config + account (or an inert one when logged out). */
+export function createListingsRails(config, account, fetchImpl) {
+  return new ListingsRails({
+    bmoSyncUrl: config?.bmoSyncServerUrl,
+    accountToken: account?.accountToken,
+    fetchImpl,
+  });
+}

package/server/src/logpaths.mjs

@@ -1,98 +1,98 @@
-// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
-// the operator channel all read the same set, and a tiny append/rotate/tail
-// helper for the new logs we write ourselves (cli, operator).
-//
-// WHY a registry and not just scattered paths: a brand-new user's install is the
-// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
-// and "I can't see what happened on their machine" is the #1 un-debuggable
-// failure. Centralising the log locations is what lets `wild-workspace doctor`
-// gather them and the operator channel tail them by name — never by arbitrary
-// path (the tail allowlist is TAILABLE below).
-//
-// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
-// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
-// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
-// them here for READING rather than moving them. Everything lives under
-// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
-
-import os from 'node:os';
-import path from 'node:path';
-import fs from 'node:fs';
-
-// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
-// defaults. Overridable via env for tests / unusual homes.
-export function globalDir(env = process.env) {
-  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
-}
-
-// Logical name → filename. The first three are written by existing components;
-// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
-export const LOG_FILES = Object.freeze({
-  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
-  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
-  daemon: 'daemon.log', //         the bmo-sync daemon
-  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
-  operator: 'operator.log', //     the consented operator channel's audit trail
-  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
-});
-
-// Logs the operator channel may tail BY NAME — never an arbitrary path.
-export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
-
-export function logFile(name, env = process.env) {
-  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
-}
-
-export function diagnosticsDir(env = process.env) {
-  return path.join(globalDir(env), 'diagnostics');
-}
-
-const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
-
-// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
-export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
-  try {
-    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
-  } catch {
-    /* missing / racing rename — nothing to rotate */
-  }
-}
-
-// Append a timestamped line to a named log; ensures the dir + rotates. Returns
-// the file path. Never throws — logging must not break the caller's path.
-export function appendLine(name, line, env = process.env) {
-  const file = logFile(name, env);
-  try {
-    fs.mkdirSync(path.dirname(file), { recursive: true });
-    rotateIfBig(file);
-    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
-  } catch {
-    /* read-only fs etc. — degrade silently */
-  }
-  return file;
-}
-
-// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
-// Returns '' when the file is missing/unreadable.
-export function tailFile(file, n = 200) {
-  try {
-    // Drop the trailing newline so the last line isn't an empty entry.
-    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
-    return lines.slice(Math.max(0, lines.length - n)).join('\n');
-  } catch {
-    return '';
-  }
-}
-
-// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
-export function listLogs(env = process.env) {
-  return TAILABLE.map((name) => {
-    const file = logFile(name, env);
-    try {
-      const st = fs.statSync(file);
-      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
-    } catch {
-      return { name, file, exists: false, size: null, mtime: null };
-    }
-  });
-}
+// logpaths — one registry for the machine-global logs so `doctor`, `logs`, and
+// the operator channel all read the same set, and a tiny append/rotate/tail
+// helper for the new logs we write ourselves (cli, operator).
+//
+// WHY a registry and not just scattered paths: a brand-new user's install is the
+// riskiest moment (no Claude yet, wrong Node, port busy, daemon won't resolve),
+// and "I can't see what happened on their machine" is the #1 un-debuggable
+// failure. Centralising the log locations is what lets `wild-workspace doctor`
+// gather them and the operator channel tail them by name — never by arbitrary
+// path (the tail allowlist is TAILABLE below).
+//
+// NOTE: the supervisor + daemon-supervisor keep writing their logs at the
+// global-dir root (supervisor.log / server.out.log / daemon.log) — those paths
+// are reboot-proven and pinned by tests via an injected globalDir, so we mirror
+// them here for READING rather than moving them. Everything lives under
+// ~/.wild-workspace (NEVER the synced workspace — CLAUDE.md principle #1).
+
+import os from 'node:os';
+import path from 'node:path';
+import fs from 'node:fs';
+
+// THE machine-global dir. Mirrors service.mjs globalDir() + the supervisor
+// defaults. Overridable via env for tests / unusual homes.
+export function globalDir(env = process.env) {
+  return env.WILD_WORKSPACE_GLOBAL_DIR || path.join(os.homedir(), '.wild-workspace');
+}
+
+// Logical name → filename. The first three are written by existing components;
+// cli + operator are new. Doctor bundles go under diagnosticsDir() (below).
+export const LOG_FILES = Object.freeze({
+  supervisor: 'supervisor.log', // WorkspaceSupervisor watchdog
+  server: 'server.out.log', //     the :5173 server's stdout/stderr (launcher-redirected)
+  daemon: 'daemon.log', //         the bmo-sync daemon
+  cli: 'cli.log', //               every `wild-workspace …` invocation (first-run capture)
+  operator: 'operator.log', //     the consented operator channel's audit trail
+  audit: 'audit.log', //           privileged action audit trail (share/sync/agent — S8)
+});
+
+// Logs the operator channel may tail BY NAME — never an arbitrary path.
+export const TAILABLE = Object.freeze(Object.keys(LOG_FILES));
+
+export function logFile(name, env = process.env) {
+  return path.join(globalDir(env), LOG_FILES[name] || `${name}.log`);
+}
+
+export function diagnosticsDir(env = process.env) {
+  return path.join(globalDir(env), 'diagnostics');
+}
+
+const MAX_LOG_BYTES = 2 * 1024 * 1024; // 2 MB → rotate to .1 (keep one prior gen)
+
+// Rotate `file` to `file.1` once it grows past maxBytes. Best-effort, no throw.
+export function rotateIfBig(file, maxBytes = MAX_LOG_BYTES) {
+  try {
+    if (fs.statSync(file).size > maxBytes) fs.renameSync(file, `${file}.1`);
+  } catch {
+    /* missing / racing rename — nothing to rotate */
+  }
+}
+
+// Append a timestamped line to a named log; ensures the dir + rotates. Returns
+// the file path. Never throws — logging must not break the caller's path.
+export function appendLine(name, line, env = process.env) {
+  const file = logFile(name, env);
+  try {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    rotateIfBig(file);
+    fs.appendFileSync(file, `[${new Date().toISOString()}] ${line}\n`);
+  } catch {
+    /* read-only fs etc. — degrade silently */
+  }
+  return file;
+}
+
+// Last `n` lines of a file (logs are size-capped, so reading whole is cheap).
+// Returns '' when the file is missing/unreadable.
+export function tailFile(file, n = 200) {
+  try {
+    // Drop the trailing newline so the last line isn't an empty entry.
+    const lines = fs.readFileSync(file, 'utf8').replace(/\r?\n$/, '').split(/\r?\n/);
+    return lines.slice(Math.max(0, lines.length - n)).join('\n');
+  } catch {
+    return '';
+  }
+}
+
+// All known logs with on-disk size + mtime (null when absent) — for doctor/logs.
+export function listLogs(env = process.env) {
+  return TAILABLE.map((name) => {
+    const file = logFile(name, env);
+    try {
+      const st = fs.statSync(file);
+      return { name, file, exists: true, size: st.size, mtime: st.mtimeMs };
+    } catch {
+      return { name, file, exists: false, size: null, mtime: null };
+    }
+  });
+}

package/server/src/observability.mjs

@@ -1,45 +1,45 @@
-// Consent for the proactive session + install observability feed (session-reporter.mjs
-// + transcript.mjs).
-//
-// DEFAULT-ON: an absent file means consented — because the disclosure is shown at
-// onboarding, and this is the model the apps users already trust use (they retain
-// sessions by default with an easy off). An explicit opt-out persists here. Kept
-// in its own file (not agent-identity.json) so it's readable at first load —
-// before the agent is even named — and trivial to flip. Mirrors operator.mjs.
-//
-// What "on" actually streams: WHAT happened + install health, never the words
-// (redaction lives in session-reporter.mjs). Off also hard-stops the kill switch
-// path WILD_WORKSPACE_NO_TELEMETRY=1, which disables ALL telemetry regardless.
-
-import fs from 'node:fs';
-import path from 'node:path';
-
-export const OBSERVABILITY_VERSION = 1;
-
-function consentFile(dataDir) {
-  return path.join(dataDir, 'observability.json');
-}
-
-export function loadObservabilityConsent(dataDir) {
-  try {
-    const p = JSON.parse(fs.readFileSync(consentFile(dataDir), 'utf8'));
-    return {
-      enabled: p.enabled !== false,
-      decidedAt: p.decidedAt ? Number(p.decidedAt) : null,
-      version: Number(p.version) || OBSERVABILITY_VERSION,
-    };
-  } catch {
-    return { enabled: true, decidedAt: null, version: OBSERVABILITY_VERSION }; // default-on
-  }
-}
-
-export function setObservabilityConsent(dataDir, enabled) {
-  const rec = { enabled: Boolean(enabled), decidedAt: Date.now(), version: OBSERVABILITY_VERSION };
-  try {
-    fs.mkdirSync(dataDir, { recursive: true });
-    fs.writeFileSync(consentFile(dataDir), JSON.stringify(rec, null, 2), { mode: 0o600 });
-  } catch {
-    /* read-only fs — fall back to in-memory for this run */
-  }
-  return rec;
-}
+// Consent for the proactive session + install observability feed (session-reporter.mjs
+// + transcript.mjs).
+//
+// DEFAULT-ON: an absent file means consented — because the disclosure is shown at
+// onboarding, and this is the model the apps users already trust use (they retain
+// sessions by default with an easy off). An explicit opt-out persists here. Kept
+// in its own file (not agent-identity.json) so it's readable at first load —
+// before the agent is even named — and trivial to flip. Mirrors operator.mjs.
+//
+// What "on" actually streams: WHAT happened + install health, never the words
+// (redaction lives in session-reporter.mjs). Off also hard-stops the kill switch
+// path WILD_WORKSPACE_NO_TELEMETRY=1, which disables ALL telemetry regardless.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const OBSERVABILITY_VERSION = 1;
+
+function consentFile(dataDir) {
+  return path.join(dataDir, 'observability.json');
+}
+
+export function loadObservabilityConsent(dataDir) {
+  try {
+    const p = JSON.parse(fs.readFileSync(consentFile(dataDir), 'utf8'));
+    return {
+      enabled: p.enabled !== false,
+      decidedAt: p.decidedAt ? Number(p.decidedAt) : null,
+      version: Number(p.version) || OBSERVABILITY_VERSION,
+    };
+  } catch {
+    return { enabled: true, decidedAt: null, version: OBSERVABILITY_VERSION }; // default-on
+  }
+}
+
+export function setObservabilityConsent(dataDir, enabled) {
+  const rec = { enabled: Boolean(enabled), decidedAt: Date.now(), version: OBSERVABILITY_VERSION };
+  try {
+    fs.mkdirSync(dataDir, { recursive: true });
+    fs.writeFileSync(consentFile(dataDir), JSON.stringify(rec, null, 2), { mode: 0o600 });
+  } catch {
+    /* read-only fs — fall back to in-memory for this run */
+  }
+  return rec;
+}